Http 403 error while getting vault repo metadata for 9.3 version


I need to get packages from the 9.3 vault repository but unfortunately this does not because I get a 403 permission denied error when trying to get the metadata:

curl -v
*   Trying
* Connected to ( port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET /vault/rocky/9.3/BaseOS/x86_64/os/repodata/repomd.xml HTTP/1.1
> Host:
> User-Agent: curl/8.4.0
> Accept: */*
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 403 Forbidden
< Connection: keep-alive
< Content-Length: 146
< Content-Type: text/html
< Server: nginx
< Accept-Ranges: bytes
< Date: Mon, 01 Apr 2024 22:11:37 GMT
< Via: 1.1 varnish
< X-Served-By: cache-yyz4524-YYZ
< X-Cache: MISS
< X-Cache-Hits: 0
< X-Timer: S1712009498.520872,VS0,VE39
<head><title>403 Forbidden</title></head>
<center><h1>403 Forbidden</h1></center>
* Connection #0 to host left intact

All architectures have the same issue, not only x86_64

I checked the 9.2 version and this one works. So I guess it’s an issue in the repo build process somehow.

Is there another mirror that I can use for the vault repo? or can you fix the permissions?
I can probably figure out a way to scrap the website to rebuild a repo on my side but that will be far from efficient.

Let me know if that’s not the correct place to report this kind of issue.

Thank for your help


We keep the repodata locked on purpose to prevent mirror manager from picking it up during the scanning process.

It would help to know what exactly you need from the vault. If all you need is a couple of packages, it may just be easier to download and provide them yourself locally.


I basically need some older kernel packages (including -devel ones) because of some third-party tools requirements.
And since you are only keeping the latest kernel version in the main repo I need to get them from the vault one.
Having access to the metadata would have been way more easier to sync up those.
I don’t know beforehand which exact version I need, the tools usually need 1 or 2 version back,
Not ideal, but I guess my only option will be to scrap the website to find all the versions and push them in a local repo.

But just curious of the reasons behind only keeping the latest kernel version in the main repo and preventing the mirroring of the vault repos

In any case, thanks for the quick answer, it’s appreciated.


I just ran into this HTTP 403 on the 9.3 vault repo metadata while trying to pull down the latest kernel from the 9.3 vault for Lustre support on a freshly deployed 9.4 host. Since Lustre is a kernel module and doesn’t support 9.4 yet (usually takes a few weeks/months), I need the latest kernel from 9.3 (though the userspace stuff can all be from the latest release) and that is only available in the vault repo.

I built some automation for pinning kernel versions from vaulted repos when a new minor version is released to maintain kernel compat for Lustre but the “locked” vaulted repo is preventing this from working as expected.

I realize Lustre is relatively niche (mostly used in High Performance Computing) so I’m not expecting Rocky Linux release engineering to change everything to support this case - but it’s a painful experience so far as an HPC admin.

The vault for 9.3 is no longer locked now that 9.4 is released.

Thank you, @nazunalika! I wasn’t sure how long the lock would be present on the vaulted repo but it sounds like just until the next is release is available (or very shortly there after) which absolutely works for us.

I appreciate your efforts. Thanks for making Rocky Linux available!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.